Thank you all for your inputs. After doing a tedious research to no avail, we decided stick to our "internal approach", as there seems to be no right or wrong answer - let alone this is not even a critical field to begin with.
@Retread That is an interesting case indeed. How did you ever find out the MOs were purchased using stolen CC info? The perpetrator must've been an honest crook
As for our customer, we do not know the source.